Home Tom Kemp's Centrify Blog

TOM KEMP'S CENTRIFY BLOG

Enabling SAP Single Sign-On (SSO) Leveraging Active Directory

Tuesday, June 17, 2008

Having recently written about how DirectControl can integrate non-Microsoft web servers into Active Directory, I want to provide some insight into our efforts in extending Active Directory-based single sign-on to SAP ERP applications running on UNIX and Linux systems. This blog post on our SAP SSO solution is a complement to our upcoming webinar on SAP SSO using Active Directory (which I urge you to register for :-) ) and other resources such as our white paper on SAP SSO.

As you know, many of the largest, most recognizable and successful organizations use SAP, and a large number of these SAP deployments run on UNIX or Linux servers at the backend. But to the end-users within those organizations that need access to SAP, this means yet another username and password they have to remember and constantly enter and re-enter. To IT managers, SAP represents yet another authentication and identity store to manage. In addition, given the sensitive nature of the data stored in SAP systems, there is a compelling need from both a security and compliance perspective to ensure that communication and access to that sensitive data is done in a highly secure manner.

In most organizations, Microsoft's Active Directory is now the de facto standard for providing authentication and identity management for Windows systems and applications. Centrify's DirectControl extends Active Directory's reach to UNIX, Linux, Mac, Java/web and database environments. Centrify DirectControl for SAP goes one step farther by enabling Active Directory-based single sign-on for SAP. This means Windows users using SAP GUI and non-Windows users using SAP Java client can enter their Active Directory credentials to access SAP running on UNIX or Linux without having to remember or re-enter another username and password. And auditors and security professionals can feel safe that access to SAP is more secure due to DirectControl's use of Kerberos.

In order to address the challenge of providing a more secure, Active Directory-centric SSO solution for SAP, Centrify provides a solution that consists of the following components:

  • DirectControl for Systems. Centrify DirectControl delivers secure access control and centralized identity management by seamlessly integrating your UNIX, Linux, Mac, Java/web and database platforms with Microsoft Active Directory. The DirectControl Agent effectively turns a non-Microsoft system into an Active Directory client, enabling you to secure that system using the same operating system-level authentication, authorization and Group Policy services currently deployed for your Windows systems. DirectControl is non-intrusive, easy to deploy and manage, and is the only solution that enables fine-grained operating system access control through its unique Zone technology.
  • DirectControl for SAP. The DirectControl for SAP module is an extension of SAP's Secure Network Communications ("SNC") providing single sign-on for an SAP client based on the exchange of Kerberos tickets. By implementing the Generic Security Services API (GSS-API), DirectControl for SAP provides the necessary SNC extensions to enable Kerberos ticket exchange from the SAP client to the SAP server. Additional security, including signing and encrypting of data that is communicated between the SAP client and server, is provided by leveraging these Kerberos tickets.

Secure Network Communication (BC-SNC) is provided by SAP as a standard layer for SAP to integrate and interface with third-party security software. SNC enables a secure connection between SAP clients, servers and services. This layer is designed to allow third-party security software providers to cleanly and comprehensively integrate with SAP to provide security services such as SSO authentication.

The simple steps to set up the various components of this solution are as follows:

  1. Join the SAP server to Active Directory with DirectControl.
  2. Configure Kerberos and the SAP service.
  3. Configure SNC on the SAP server.
  4. Configure SNC on the SAPgui.

See our SAP whitepaper for details on each one of these. Once the DirectControl for SAP solution is deployed, the basic steps to the authentication are as follows:

  1. When a user first signs on to a Windows XP workstation, a Kerberos ticket granting ticket (tgt) is obtained from Active Directory.
  2. When the user then opens SAPgui, XP requests, via SNC, an SAP service ticket from the SAP Server/Router using the previously obtained tgt. SNC passes the service request to the DirectControl Agent.
  3. The DirectControl Agent validates the ticket with Active Directory.
  4. The user is granted access and a secure user session is provided back to the client.

Similar to the DirectControl for Java/Web solution, I believe it is important to understand some of the enterprise level features of the DirectControl for SAP on UNIX solution that is not generally available in alternative approaches:

  • Full Support for Active Directory Policies: DirectControl for SAP on UNIX talks directly to Active Directory; therefore, all native Active Directory features are supported. This includes support for a centrally managed password policy and the flexible user-naming conventions of Active Directory.
  • Cross-Domain Authentication: Users who are authenticated members of a remote domain can access an application server joined to another domain if the appropriate cross-domain trust relationship has been established. This occurs without the user being prompted for credentials. This is the same behavior that users would expect in an all-Windows environment.
  • Gold Standard Kerberos: Leveraging the MIT reference implementation of Kerberos, DirectControl delivers the most compatible and mature approach to Kerberos-based Active Directory authentication for enterprise applications. While many platforms offer some type of Kerberos support, setting up and administering the Kerberos service to talk with Active Directory securely and reliably can be a complex task on non-Microsoft platforms. With the DirectControl Agent installed, the host platform becomes Active Directory-aware and can take advantage of Active Directory services - such as automatic updates of Keytab files and Keytab versioning, automatic time synchronization with Active Directory, local caching for disconnected mode, and dynamic DNS support - that greatly simplifies initial configuration and provides a much higher degree of maintainability and reliability.

I hope that post provides a good overview of the challenges customer face with SSO for SAP on UNIX and how the solution that Centrify provides to address these challenges have been helpful. The beauty of the Centrify solution is that customers not only get SSO into SAP, but administrators have a single place to control authentication, so once a user is disabled in Active Directory, they can't login into SAP even if the user account still exists within SAP.

Don't forget to join us for more details, demos and customer examples in our webinar on integrating SAP on UNIX with Active Directory.

[Special thanks to Corey Williams for assistance on this blog post and providing much of the content.]

Categories: Centrify, DirectControl for Databases, DirectControl for Systems, DirectControl for Web Apps, Group Policy, Regulatory Compliance, All
Bookmarks: del.icio.usDiggFurlNetscapeYahoo! My WebStumbleUponGoogle BookmarksTechnoratiBlinkListNewsvinema.gnoliaRedditWindows LiveTailrank

< Previous Article: We're hiring!
> Next Article: Auditing UNIX and Linux Systems